Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Why am I unable to send field value from search to custom alert script?

0

I have an alert that triggers when a fail percentage from a scheduled search runs. If I reference the field using $result.Percent$ where Percent is the field with the value I want to include, I can reference this token in the email subject action just fine. However when I try and use it in our custom action by referencing it as below I can't seem to get it to work.

basically, we are just creating a json payload and parsing it in the simple script below, the other info comes in fine, but the extradetails where I am testing this, always comes back empty def post_event(payload): settings = payload.get('configuration')

these are all defined in the alert. here is the stanza. For whatever reason, the results_file="$results.file$" results_link="$results.link$" portions work fine, but the results_Percent="$result.Percent$" part never gets a value even though the email action easily pics this value up.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.